NETbuilder Ltd

Azure Managed Infrastructure

NETbuilder provides Microsoft Azure professional services from strategy through platform build, maintenance and support to live service deployment on Azure infrastructure. Our experts help advise, manage, design and deliver integrated Azure work packages or end-to-end solutions.

Features

  • Support design of cloud architecture and infrastructures on Azure
  • Support private cloud hosting in secured facilities
  • Provide fully redundant and resilient cloud infrastructures built on Azure
  • Support flexible and scalable storage, network, monitoring and backup services
  • Provide industry experts cloud implementation support for your Azure initiatives
  • Automate code testing, deployment processes and CI / CD infrastructure
  • Support Azure Virtual Machines, Active Directory, VPN Gateway, Security Center
  • Support Azure Government, RemoteApp, Storage, StorSimple, BackupAzure
  • Support Azure Site Recovery, CDN, SQL Database, Azure DocumentDB
  • Support Azure Key Vault, API Management, Azure Automation, Virtual Network

Benefits

  • Deliver operational cloud stacks at speed
  • Facilitate platform maturity enhancement and speed up your cloud transformation
  • Best-in-class implementation for cloud platform hosting applications
  • Reduce time to market, overall costs, focus on engaging customers
  • Relieve IT staff of day-to-day operational and management activities
  • Flexible system configurations based on needs with automated cloud infrastructure
  • Add flexibility to your Azure cloud initiatives
  • Improve security posture and minimise cyber security risks

Pricing

£350 to £999 a person a day

  • Education pricing available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at gcloud@netbuilder.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 12

Service ID

6 7 7 9 1 7 5 2 2 2 8 2 9 8 8

Contact

NETbuilder Ltd Thomas Hooson
Telephone: 0845 680 2083
Email: gcloud@netbuilder.com

Service scope

Service constraints
The customer is responsible for, and remains liable for ensuring that their licensing is compliant with deployment in a virtualised cloud environment.

The customer is responsible for complying with the Azure service agreement and terms. This can be found at https://azure.microsoft.com/en-gb/support/legal/
System requirements
  • Operating systems must be x86 based.
  • Operating systems must not be end of support
  • Legacy environments will require an audit prior to acceptance

User support

Email or online ticketing support
Yes, at extra cost
Support response times
NETbuilder provide prioritised support services for the Managed Services, to be accessed by the Customer’s Technical Support Contacts 24 hours a day, 7 days a week (each such request a “Service Request” or an “Incident” or a “Change Request”) according to an agreed set of Response Times for each service request type and priority level.

Indicative response times:

• P1 Highest Severity Incident - 15 minute response
• P2 High Severity Incident - 1 hour
• P3 Medium Severity Incident - 2 hours
• P4 Low Severity Incident - 4 hours
User can manage status and priority of support tickets
No
Phone support
Yes
Phone support availability
24 hours, 7 days a week
Web chat support
No
Onsite support
Yes, at extra cost
Support levels
Our Production Support offering ensures that the customer’s technology estate is operational whilst providing them with significant autonomy in daily application and business operations. Production customers are assisted with a self-service portal that makes it easy to request help, search knowledgeable content and track progress on issues, and by the NETbuilder Technical Support team composed of service desk agents and a named Service Delivery Manager (SDM) primarily tasked with system maintenance, security, health reporting and monitoring on a 24x7 basis.

Our Enterprise Support offering builds on Production Support and is a premium full-service package developed with the goal of empowering customer teams to focus on their core business and deliver effectively at scale. This offering entitles the customer to a single point of contact with NETbuilder; the Technical Account Manager (TAM), a highly skilled professional proactively supporting the customer during deployment time and production related activities, while ensuring the ongoing maintenance and management of the technology stack. The TAM meets regularly with the customer and can assist with activities such as performance tuning, configuration and planning.

Pricing of the Managed Service is determined on a case by case basis dependent upon the service offering, service level agreements and customer requirements.
Support available to third parties
No

Onboarding and offboarding

Getting started
NETbuilder's service setup and onboarding process consists of several steps:

Introduction

• Visit the customer to meet the team and perform initial introductions
• Provide an overview of the Managed Service
• Formulate a plan for the next steps

Discovery

• Run an initial discovery phase in which we review and validate the scope of the service with the business and technical stakeholders
• Create an inventory of the resources to support
• Review existing security controls and processes
• Perform any necessary knowledge transfer
• Define a service catalogue with associated SLAs
• Review of resources and costs required for the managed service

On-Boarding

• Provision the support, networking and monitoring services
• Implement quality controls
• Check integration points
• Integrate to the customer business process
• Trial run end-to-end key use cases and live incidents
• Start preparing initial knowledge base and relevant run books
• Implement relevant security controls and processes

Transition

• Switch to the new support service
• Check hands for an official start
• Provide/receive frequent feedback and reporting for a defined period

Maintenance and Support

• Proactively support and maintain managed service resources
• Provide service level reports with KPIs
Service documentation
Yes
Documentation formats
  • HTML
  • ODF
  • PDF
End-of-contract data extraction
Customer instances and data can be transferred to the customer and source instance/data deleted upon completion. This transfer is included within the managed service cost.
End-of-contract process
A high level exit plan is contained within the Managed Service documentation. The exit plan contains off-boarding instructions as to whether the service is to be ceased or migrated to another third party.

Using the service

Web browser interface
Yes
Using the web interface
The AWS management console interface lets you access and manage AWS through a simple and intuitive web-based user interface. Access rights and levels of access are determined depending upon the specific AWS managed service that will be procured.

The Console facilitates cloud management for all aspects of your AWS account, including monitoring your monthly spending by service, managing security credentials, or even setting up new IAM Users.

All IaaS AWS administration, management, and access functions in the AWS Console are available in the AWS API and CLI. New AWS IaaS features and services provide full AWS Console functionality through the API and CLI at launch or within 180 days of launch
Web interface accessibility standard
None or don’t know
How the web interface is accessible
The AWS management console interface lets you access and manage AWS through a simple and intuitive web-based user interface. Access rights and levels of access are determined depending upon the specific AWS managed service that will be procured.

The Console facilitates cloud management for all aspects of your AWS account, including monitoring your monthly spending by service, managing security credentials, or even setting up new IAM Users.

All IaaS AWS administration, management, and access functions in the AWS Console are available in the AWS API and CLI. New AWS IaaS features and services provide full AWS Console functionality through the API and CLI at launch or within 180 days of launch
Web interface accessibility testing
None
API
Yes
What users can and can't do using the API
AWS provides extensive API support. Please visit https://docs.aws.amazon.com/ for detailed information.
API automation tools
  • Ansible
  • Chef
API documentation
Yes
API documentation formats
  • PDF
  • Other
Command line interface
Yes
Command line interface compatibility
  • Linux or Unix
  • Windows
  • MacOS
Using the command line interface
All aspects of the Azure service can be managed using the CLI

Scaling

Scaling available
Yes
Scaling type
Manual
Independence of resources
Azure represents a hyper-scale public cloud service.

In addition, NETbuilder can proactively monitor service and resource performance and review performance metrics with the customer.
Usage notifications
Yes
Usage reporting
  • API
  • Email
  • SMS

Analytics

Infrastructure or application metrics
Yes
Metrics types
  • CPU
  • Disk
  • HTTP request and response status
  • Memory
  • Network
  • Number of active instances
  • Other
Other metrics
  • Backup
  • Patching
  • Anti-Virus
  • Security controls & posture
Reporting types
  • API access
  • Real-time dashboards
  • Regular reports
  • Reports on request

Resellers

Supplier type
Reseller providing extra features and support
Organisation whose services are being resold
Microsoft Azure

Staff security

Staff security clearance
Conforms to BS7858:2012
Government security clearance
Up to Developed Vetting (DV)

Asset protection

Knowledge of data storage and processing locations
Yes
Data storage and processing locations
  • United Kingdom
  • European Economic Area (EEA)
  • EU-US Privacy Shield agreement locations
User control over data storage and processing locations
No
Datacentre security standards
Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency
At least once a year
Penetration testing approach
Another external penetration testing organisation
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Physical access control, complying with another standard
  • Encryption of all physical media
  • Scale, obfuscating techniques, or data storage sharding
Data sanitisation process
Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach
Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Backup and recovery

Backup and recovery
Yes
What’s backed up
  • All applicable data including system configurations.
  • Log files, databases, instances and application data.
Backup controls
Backups are controlled by the Service Desk according to a backup schedule and retention period agreed with the customer
Datacentre setup
Multiple datacentres with disaster recovery
Scheduling backups
Supplier controls the whole backup schedule
Backup recovery
Users contact the support team

Data-in-transit protection

Data protection between buyer and supplier networks
  • Private network or public sector network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Other
Other protection between networks
For data in transit, Azure uses industry-standard secure transport protocols, such as TLS/SSL, between user devices and Microsoft datacentres. You can enable encryption for traffic between your own virtual machines (VMs) and your users. With Azure Virtual Networks, you can use the industry-standard IPsec protocol to encrypt traffic between your corporate VPN gateway and Azure as well as between the VMs located on your Virtual Network.
Data protection within supplier network
  • TLS (version 1.2 or above)
  • IPsec or TLS VPN gateway
  • Other
Other protection within supplier network
ACL Based Network Security Groups are also used. See https://azure.microsoft.com/en-us/blog/network-security-groups/

Availability and resilience

Guaranteed availability
NETbuilder will use commercially reasonable efforts to make the Included Services available for each Azure region with a Monthly Uptime Percentage of at least 99.99%, in each case during any monthly billing cycle. In the event any of the Included Services do not meet the Service Commitment, you will be eligible to receive a Service Credit as described below.

Less than 99.99% but equal to or greater than 99.0%: 10%
Less than 99.0% but equal to or greater than 95.0%: 30%
Less than 95.0%: 100%

Azure SLAs describing Microsoft's commitments for uptime and connectivity can be found at https://azure.microsoft.com/en-gb/support/legal/sla/
Approach to resilience
Microsoft’s approach to improving Azure reliability involves improving the platform’s capability to minimize impact during planned maintenance events and giving customers control over the experience during these events.

For more information please see https://azure.microsoft.com/en-gb/resources/resilience-in-azure-whitepaper/
Outage reporting
Alerts are generated by our monitoring platform that are received by our 24x7 Service Desk. SMS text alerts, phone calls and/or email notifications are generated and dispatched to user stakeholders for the affected services.

Identity and authentication

User authentication
  • 2-factor authentication
  • Identity federation with existing provider (for example Google apps)
  • Username or password
  • Other
Other user authentication
Azure Active Directory is Microsoft’s multi-tenant cloud based directory and identity management service. Azure-AD provides an affordable, easy to use solution to give employees and business partners single sign-on (SSO) access to thousands of cloud SaaS Applications like Office365, Salesforce.com, DropBox, and Concur. For application developers, Azure-AD lets you focus on building your application by making it fast and simple to integrate with a world class identity management solution used by millions of organizations. Azure-AD also includes a full suite of identity management capabilities including multi-factor authentication, device registration, self-service password management, self-service group management, privileged account management.
Access restrictions in management interfaces and support channels
Management access utilises role based access controls and is granted only to those team members who need it. Two factor authentication is also used to further secure and control access.
Access restriction testing frequency
At least every 6 months
Management access authentication
  • 2-factor authentication
  • Identity federation with existing provider (for example Google Apps)
  • Dedicated link (for example VPN)
  • Username or password
Devices users manage the service through
Dedicated device on a segregated network (providers own provision)

Audit information for users

Access to user activity audit information
Users contact the support team to get audit information
How long user audit data is stored for
User-defined
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
User-defined
How long system logs are stored for
User-defined

Standards and certifications

ISO/IEC 27001 certification
Yes
Who accredited the ISO/IEC 27001
ISOQAR
ISO/IEC 27001 accreditation date
November 2018
What the ISO/IEC 27001 doesn’t cover
All aspects of our Managed Services are included within the scope of our ISO27001:2013 Accreditation.
ISO 28000:2007 certification
No
CSA STAR certification
No
PCI certification
No
Other security certifications
Yes
Any other security certifications
Cyber Essentials

Security governance

Named board-level person responsible for service security
Yes
Security governance certified
Yes
Security governance standards
  • ISO/IEC 27001
  • Other
Other security governance standards
• ISO27001:2013
• Cyber Essentials

Azure:

ISO 27001:2013, Cyber Essentials Plus; ISO 27017; ISO 27018; SOC 1/2/3
Information security policies and processes
Our ISO 27001 Management System identifies significant information security aspects and the associated impacts of our operations. These are managed at all times in a way that minimises risk to all our stakeholders. Training and continual risk assessment ensures this is undertaken in a controlled manner.

Specifically, we:

• Include information security considerations in existing management systems and initiatives with the aim of improving our management processes, information security performance, whilst committing, at a minimum, to compliance with relevant legislation, contractual security obligations and other requirements to which the company subscribes including ISO 27001
• Work in partnership with our contractors and suppliers to influence and/or improve the integrity of their information security.
• Provide and maintain information security.
• Identify and seek to prevent information security incidents which may arise from our processes, operations and work activities.
• Make adequate provision for dealing with all emergency situations in our business.
• Ensure available access to information security training for our staff, encouraging them to apply good practice at all times.
• Discuss information security issues regularly at the highest levels of the company and consult with our staff on all related matters.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
Change requests can range from supporting Azure infrastructure design work through to provisioning new instances and services.

We use a well-defined change management process to ensure that changes are implemented in a controlled manner. Changes are risk assessed, include roll back/recovery procedures and are reviewed by our Change Advisory Board (CAB) prior to implementation.

Our change management process follows ITIL standards and is included in our ISO 27001 scope.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
NETbuilder has a ISO 27001 aligned vulnerability management process. This processes is audited several times per year both internally and by a UKAS accredited ISO certification body.

All relevant systems are anti-malware protected. Updates are tested prior to deployment and are applied according to a schedule. Mailing list subscriptions and security alert briefings are used to keep abreast of the latest vulnerabilites.

Vulnerability assessments are also performed on a regular basis using industry standard tools and remediated in a timely manner.

Microsoft performs vulnerability scans on the host operating system, web applications, and databases in the Azure environment.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
NETbuilder has a ISO 27001 aligned protective monitoring process. These processes are audited several times per year both internally, externally and by the ISO governing body.

Protection is provided in a number of ways, including SIEM, IPS, host sensors and next generation firewalls.

AWS deploys (pan-environmental) monitoring devices to collect information on unauthorized intrusion attempts, usage abuse, and network/application bandwidth-usage. Devices monitor:

• Port scanning attacks
• Usage (CPU, processes, disk utilization, swap rates, software-error generated losses)
• Application metrics
• Unauthorized connection attempts

Near real-time alerts flag potential compromise incidents, based on Azure Service/Security Team- set-thresholds.
Incident management type
Supplier-defined controls
Incident management approach
NETbuilder's Incident Management process follows the ITIL standard and is included in our ISO 27001 scope. As such, it is audited and approved by our external auditors. Incidents are raised by customers (via the service desk portal, email or phone), monitoring systems or service desk technicians. Root cause analysis is performed for any incident.

Azure has its own comprehensive Incident Management plan, details of which can be provided upon request.

Secure development

Approach to secure software development best practice
Conforms to a recognised standard, but self-assessed

Separation between users

Virtualisation technology used to keep applications and users sharing the same infrastructure apart
Yes
Who implements virtualisation
Supplier
Virtualisation technologies used
Hyper-V
How shared infrastructure is kept separate
Azure is a multi-tenant service, which means that multiple customer deployments and VMs are stored on the same physical hardware. Azure uses logical isolation to segregate each customer’s data from the data of others. Segregation provides the scale and economic benefits of multi-tenant services while rigorously preventing customers from accessing one another’s data.

Detailed information can be found at https://docs.microsoft.com/en-us/azure/security/

Energy efficiency

Energy-efficient datacentres
No

Pricing

Price
£350 to £999 a person a day
Discount for educational organisations
Yes
Free trial available
No

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at gcloud@netbuilder.com. Tell them what format you need. It will help if you say what assistive technology you use.